ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » [MQseries 6.0] Authorities

Post new topic  Reply to topic
 [MQseries 6.0] Authorities « View previous topic :: View next topic » 
Author Message
Bahan
PostPosted: Thu Aug 23, 2007 8:30 am    Post subject: [MQseries 6.0] Authorities Reply with quote

Apprentice

Joined: 16 Jul 2006
Posts: 47
Location: France

Hi everyone.

I have a little problem with my authorities management.

I'm currently trying to change the authorization of a certain user named MyUser concerning a queue manager.

First, this user had every right :
Code:
dspmqaut -m MyQM -t qmgr -p MyUser
Entity MyUser has the following authorizations for object MyQM:
        inq
        set
        connect
        altusr
        crt
        dlt
        chg
        dsp
        setid
        setall


I tried to use the setmqaut command to suppress some authorizations :
Code:
setmqaut -m MyQM -t qmgr -p MyUser -altusr -chg -crt -dlt -dsp -set -setall -setid


After that, I looked in the WebSphere MQ V6 Fundamentals and I found that p307, it is needed to refresh the security cache by using the REFRESH SECURITY COMMAND MQSC.
I did the following thing :
Code:
runmqsc MyQM
REFRESH SECURITY


But then, when I did the dspmqaut command again, I always had every authorization for the user MyUser...

In order to find a solution, I tried to end the Queue Manager and then to start it.
Code:
endmqm MyQM

then when it is well stopped.
Code:
strmqm MyQM


But it is always the same.

So I was wondering if I was not forgeting something ? Maybe someone can help me ?

Thank you for your help.

Bahan
_________________
Close the world.||.txen eht nepO
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Thu Aug 23, 2007 8:34 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

If the user is in the MQM group, you can't change what privileges they have, other than by removing them from MQM.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Aug 23, 2007 11:12 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

Also, you don't need to REFRESH SECURITY or restart the QM is you are concerned with changes you made via setmqaut. Those take immediatly.

The refresh command is only needed if you add or remove users from a group after the QM has started, since the QM caches who is in what groups at start up, for performance reasons.

As of 5.3, there is no need to bounce the QM for this purpose. REFRESH SECURITY will handle it.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
mvarghese
PostPosted: Thu Aug 23, 2007 10:52 pm    Post subject: App connecting user id issue Reply with quote

Centurion

Joined: 27 Sep 2006
Posts: 141

The application which is running in same server as MQver6.
We faced some connection problem while connecting Appliaction to MQ QMGR, Application connecting using binding mode ,we didn't put yet any user id and password part of code to connect the Qmgr.Connection problem got solved after putting application Id called APP1 to the mqm group.

But I don't want APP1 ID will get all permision as mqm, how to tackle this issue?.Anyway by using setmqaut we cannot stop APP1 as long as part of mqm group.
Let say if I got with steps http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/

Can application in Binding mode of connection can code with user id /passwd part and connecting using the user id specified in MCAUSER part of SVRCONN.?any ideas.
_________________
Jain Varghese


Last edited by mvarghese on Thu Aug 23, 2007 11:12 pm; edited 1 time in total
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Aug 23, 2007 11:10 pm    Post subject: Re: App connecting user id issue Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mvarghese wrote:
problem got solved after putting application Id called APP1 to the mqm group.

But I don't want APP1 ID will get all permision as mqm, how to tackle this issue?.


I may be missing something here, but why not 1) remove APP1 from the mqm group 2) use setmqaut to provide the necessary permissions (including connect I'd warrant). Is this what you had originally when you experienced "some connection problem"? If so, what was the problem? Exactly? There may be another way to fix it.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mvarghese
PostPosted: Thu Aug 23, 2007 11:18 pm    Post subject: Reply with quote

Centurion

Joined: 27 Sep 2006
Posts: 141

Thanks Victor,
Intially APP1 user given connect permission,
Still Binding mode of connection make any impact on this type of authentification.

Intially application errored out saying permission issue to connect to QMGR.Can application in Binding mode of connection can code with user id /passwd part and connecting using the user id specified in MCAUSER part of SVRCONN.?any ideas
_________________
Jain Varghese
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Aug 23, 2007 11:35 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mvarghese wrote:
Can application in Binding mode of connection can code with user id /passwd part and connecting using the user id specified in MCAUSER part of SVRCONN.?


A bindings connection doesn't use the client channel SVRCONN.

So you gave APP1 connect authority against the queue manager (not the queue) and other authorities as appropriate? And it threw a 2035? You need to enable security events and/or check the logs to determine that your application is using the user you think it is, and the 2035 is being thrown at the point you think it is. Especially if you're running inside an app server or similar.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mvarghese
PostPosted: Thu Aug 23, 2007 11:56 pm    Post subject: Reply with quote

Centurion

Joined: 27 Sep 2006
Posts: 141

Thanks vitor,you are right we getting 2035 in that time.I need to do a retry over this based on present undertanding form the above posts.
My problem we never got a chance to see the developer code .But as per thier version for better performance they using Binding Mode of connection.But we have SVRCONN running to serve the application Connection.
I thought the way of connecting the java client connecting to QMGR makes its binding mode..like using the properties
public static java.util.Hashtable properties ...is am wrong?.
_________________
Jain Varghese
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Aug 24, 2007 12:18 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

You can't mix and match application connections. Either the application uses a bindings connection (and must be on the same box as the queue manager) or it uses a client connection via SVRCONN or similar (where it may or may not be on the same box). Hence an application coded to use bindings will ignore / be blind to any settings in SVRCONN.

They're right to say a bindings connection gives better performance but it does limit where the application is run.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Aug 24, 2007 5:35 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

And remember if using JMS you always need to add enquire as permission
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » [MQseries 6.0] Authorities
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.